One rather specific thing that may or may not apply to you, but I see very often on Ubuntu servers:<p>Docker containers completely bypass UFW rules (the default firewall on Ubuntu Server). Even if a port isn't open, if a docker forwards it to a container it will be acceptable from the outside. So if you're running Docker, make sure your container port forwards are only bound to localhost (apart from the ones you want to expose intentionally of course) and/or that you use the appropriate patches/scripts that fix this issue (there's a few different ways floating around the web).
Here's my checklist (some of these are the default on Ubuntu):<p>- disabled root account password
- ssh rejects root, allows only key-based auth, listens on non-standard port
- fail2ban is installed and active
- firewall is enabled and all ports are "closed" by default
Bare minimum:<p>1. Security updates/unattended upgrades<p>2. Sudo user (don't use root directly)<p>3. Log Rotation<p>4. SSH. Key based only. Ideally with a passphrase. No root login<p>5. Firewall. Only open ports that are needed (80,443 etc)<p>Then you can do other things as needed (private network etc).
You need to secure the system as a whole (SSH, sudo, logs, firewalls, SELinux) and then each individual component (db access). For example, here's my thread on basic firewalld configuration[0] (yes I know firewalld is not Ubuntu's default, but it's in the repository and can be used).<p>There is a lot to go through for a comment answer. I think little bit of Google will reveal some decent Ubuntu articles. I'll say at least this. Scratch root access completely, and set up an admin account with SSH-keys auth. That would be a good start to replace password-access.<p>If you want to be more confident in system configuration, I wrote a book on the topic[0]. It uses enterprise Linux rather than Ubuntu, so I can teach SELinux too (which is actually a big security improvement).<p>[0] <a href="https://twitter.com/strzibnyj/status/1480494670299815939" rel="nofollow">https://twitter.com/strzibnyj/status/1480494670299815939</a>
[1] <a href="https://deploymentfromscratch.com" rel="nofollow">https://deploymentfromscratch.com</a>
Have a look at <a href="https://github.com/dev-sec/ansible-collection-hardening" rel="nofollow">https://github.com/dev-sec/ansible-collection-hardening</a>
Further than strong root account would be to dissalow root login altogether. Rather, create a dedicated admin user with a strong password that's able to do privileged actions via sudo. This leaves an audit trail in case the admin account is compromised.
Here is everything that you need:
<a href="https://ubuntu.com/server/docs/security-introduction" rel="nofollow">https://ubuntu.com/server/docs/security-introduction</a>